Apache Camel security advisory: CVE-2022-45046
SummaryLDAP Injection in camel-ldap
Versions affected3.0.0 up to 3.14.5, and 3.15.0 up to 3.18.3, and 3.19.0.
Versions fixed3.14.6, 3.18.4
DescriptionLDAP Injection on camel-ldap component when using the filter option.
The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-186906 refers to the various commits that resovoled the issue, and have more details. The camel-spring-ldap component is not affected. Users could use move to the Camel-Spring-Ldap component.
The security vulnerability after further analysis is a false alarm (no security risk) and this CVE is retracted.
MitigationUsers should upgrade to 3.14.6 or 3.18.4
CreditThis issue was discovered by 4ra1n from Chaitin Tech
- PGP signed advisory data: CVE-2022-45046.txt.asc
- Mitre CVE Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45046